A Health Insurance Portability and Accountability Act (HIPAA) audit occurs when the Office for Civil Rights (OCR) investigates a company’s practices to ensure it complies with HIPAA to keep protected health information (PHI) private. Review our HIPAA audit checklist to get your organization ready.

1. Set up Employee Training

Employees need to thoroughly understand HIPAA compliance requirements so they know how to handle medical data. Schedule sessions before the audit to prepare everyone for the real audit and document this training.

2. Create a Risk Management Plan

A risk management plan is a strategy to address organizational security risks that could violate HIPAA, including the potential impact of all probable and unlikely risks. This plan is required under the administrative safeguard of the Security Rule.

Keep Evidence and Documentation of Policies and Procedures

3. Keep Evidence and Documentation of Policies and Procedures

Prepare your security documents to demonstrate your compliance with HIPAA policies. Gather documentation for:

  • Compliance rules state reports.
  • HIPAA privacy policies.
  • Incident response.
  • Breach notifications.
  • Physical security.
  • IT and firewall.

4. Conduct a Risk Assessment

A risk assessment identifies all the security risks your company may have so you can remedy them before they facilitate a breach.

5. Appoint a Security Officer and a Privacy Officer

HIPAA requires all covered entities and businesses to have a Security Officer and a Privacy Officer. These individuals are responsible for the security and privacy of PHI, and their tasks include:

  • Documenting the efforts to meet HIPAA regulations.
  • Reviewing business associate agreements (BAAs).
  • Revising security policies regularly.
  • Conducting risk analyses for data security and IT systems.
  • Recording security incidents and breaches.

6. Review Policy Implementation

A HIPAA audit includes assessing how your company’s policies and procedures fit into your everyday business routine. Ensure you understand how well your policies are working and make adjustments where needed.

Conduct an Internal Audit

7. Conduct an Internal Audit

Before the OCR’s official audit, conduct an internal HIPAA audit to identify and correct problems. Partner with a data security or compliance organization for a comprehensive check.

8. Create an Internal Remediation Plan

When your internal audit is complete, use your findings to create a remediation plan that will reduce your security risks. This plan should include a schedule with timelines to help you stay compliant for the next audit.

See also  How to Hold a Safe, Secure Telehealth Appointment

9. Review and Update Your Compliance Plan Regularly

Stay on top of your organization’s HIPAA compliance by reviewing your policies and procedures regularly. Ensure they are still effective and make improvements if needed.

Contact Agio Today

Agio will help your organization prepare for its HIPAA audit through penetration tests and compliance assessments. To learn more, contact us today.